Understanding the OWASP Mobile Top 10 Security Risks: Part One (M1-M3)
Mobile apps are a ubiquitous feature of modern life. Stats show that there are more than three billion smartphone users around the world, who downloaded over 200 billion apps in 2019, up 45% from 2016. These users spent an average of 5 hours a day on their phone, interacting with apps for 92% of that time. The COVID-19 pandemic has pushed these numbers even higher—App Annie reported a 20% increase in time spent in apps for Q1 2020.
When you consider what kind of information these apps hold, those numbers ring alarm bells. From personal identifying data to sensitive health and financial information, apps contain a treasure trove of data that hackers seek to exploit. And since apps are deployed in environments beyond the developer’s control, an insecurely built app puts organizations at risk for millions in lost business, regulatory fines, and remediation costs.
The numbers on app vulnerability
With the incredible growth in adoption of mobile devices as well as the sheer amount of data that mobile apps hold, they have become an increasingly large target for hackers. This is exacerbated by the fact that app popularity means that exploiting a single app can lead to tens of millions of devices being compromised.
Here are just a few startling figures around mobile app vulnerability:
- 70% of the 250 most popular Android apps leaked data, according to a NowSecure study
- 92% of online retail apps leaked data, according to the same study
- Researchers found that 83% of apps have at least one security flaw
- 76% of apps exhibit insecure data storage
- More than 70% of the top 100 financial apps had at least one high level vulnerability, according to a security audit
- Peer-to-peer payment (P2P) fraud grew 733% between 2016 and 2019
What is the OWASP Mobile Top 10 list?
Identifying and understanding the greatest mobile threats is important for developers, businesses, and security-conscious consumers alike. For this reason, the Open Web Application Security Project (OWASP) maintains an updated list of the most critical security risks to mobile apps.
Formed in 2001, OWASP is a nonprofit foundation focused on improving software security, with tens of thousands of members around the world. The OWASP Mobile Top 10 Threats is a list sourced from this international group of developers and mobile security experts that outlines the biggest challenges to mobile app security. The list forms a core guideline to build more secure mobile apps for developers, and the businesses and consumers who use them. In this blog series, we take a closer look at what the OWASP Mobile Top 10 Vulnerabilities are, how they affect mobile apps, and what can be done to mitigate them.
OWASP Mobile Top 10 Threats: M1-M3
The operating systems or platforms used by mobile apps and devices provide a wide range of functionality , including security features. Improper platform usage is when an app does not implement these features correctly, thereby allowing them to be used as avenues of attack or exposing data to attackers.
Why it’s a problem
Through insecure development practices, an exposed API call, such as usage of iOS Touch ID or Android Intents, can become a means for a hacker to attack a device. By finding coding flaws and using them to gain access, hackers exploit the permissions that have been granted to an app. They can subsequently inject inputs or unexpected execution commands to compromise a device and steal data. Similarly, failing to correctly use security features such as iOS keychain can leave secret data exposed.
How apps are vulnerable to improper platform usage
There are a number of ways that applications can, inadvertently or otherwise, open up platform vulnerabilities. Unlike the rest of the OWASP Mobile Top 10 vulnerabilities, these issues do not solely rest upon the app developer, but can arise from incomplete documentation or poor communication on the part of the OS.
Some of the most common examples of improper platform usage are:
- Android Intents: Intents are a form of communication between apps and the Android platform. These intents can be misused and enable unintended executions or be ‘sniffed’ by attackers to extract data from a device.
- Android File Permissions: When developers don’t properly restrict app and file access, hackers can tamper or manipulate files and force them to execute malicious code.
- iOS Keychain: All security and sensitive data, such as passwords, keys, and certificates, should be stored on iOS’ secure Keychain. If an app stores sensitive data in app local storage, it can be easily accessed and leveraged in an attack.
- iOS Touch ID: This gives iOS users an extra layer of verification for using their device. However, the fingerprint that’s used can be stored incorrectly by an app’s developers (such as in the LocalAuthentication framework), which can lead to exploitation.
What can be done
The best way to avoid creating vulnerabilities through improper platform usage is by understanding and strictly following platform development guidelines. Following best practices for features such as iOS Keychain, Touch ID, and Android Intents serves to minimize the possibility of loose implementation of controls. Apps can also be restricted from communicating with other apps, which prevents them from becoming major exploits and/or giving way to significant reputational damage.
Next on the list of the OWASP Mobile Top 10 vulnerabilities is the issue of data storage. Most apps store some kind of information about their users, often referred to as personally identifiable information (PII). This can range from access tokens and option preferences to medical history and credit card details. If this data is not stored securely, hackers can access it and use it for a number of purposes.
Why it’s a problem
Insecure data storage is a high severity vulnerability with multiple potentials for misuse. Developers often assume that access to the device filesystem and information on the device datastores are inherently secure. On the contrary, filesystems are actually pretty accessible. Additionally, rooted or jailbroken devices circumvent most of the encryption. Once there is clear access, hackers can use data stolen from insecure apps or devices in many ways with major consequences for both users and businesses. Some examples are:
- Identity theft: Using details gathered about a user, the hacker can impersonate them to steal even more information or open a bank account or credit card in their name.
- Fraud: If a hacker manages to gain access to card or payment details, they can make purchases or use details to commit email payments fraud, a type of fraud where users are directed to deposit payments in false accounts by what they think is a legitimate vendor.
- Regulatory violations: Multiple regulations govern the strict protection of sensitive data with steep fines and other penalties for non-compliance.
- Reputation damage: Major hacks don’t just inflict material costs through regulatory fines and money stolen —they also carry significant reputational damage. Studies by IBM show that companies believe reputational damage to be the biggest cost they pay due to data breaches.
How apps are vulnerable to insecure data storage
Insecure data storage comprises a large number of attack vectors, including poor encryption, compromised devices, and insecure access protocols.
The following are just some of the ways that hackers can exploit insecure data storage to steal data:
- Through the operating system: This includes how and where the OS stores data, images, tokens, and binary data.
- Development framework: How and where an app stores data, images, and log files or how it syncs to the cloud.
- Ad, analytic, or social frameworks: Data and information such as cookies and preferences are stored for advertising and analytics or for social networks to remember preferences but can easily be hacked and exploited.
- Rooted or Jailbroken devices: Compromised devices that run apps outside of an OS secure framework can be used to access data they wouldn’t normally be able to.
What can be done
It’s essential for secure storage that data is protected and encrypted effectively. For mobile apps, this means encrypting all sensitive information and data stored in the application and enforcing proper authorizations. Additionally, encryption moves the focus from the data to the keys protecting the data. Make sure key protection is part of the security strategy. Given that you can never be sure if the device itself has been compromised, it is important to implement security measures beyond those provided by the OS. Deploy application shielding technologies to harden code against hacking attempts and protect encryption keys.
Mobile apps constantly send and receive data in a client-server arrangement, either through a telecom carrier or the internet. Even apps that can be used offline periodically connect to a server to receive updates. Hacker’s can eavesdrop on these transmissions to steal sensitive data coming from a user’s device or change the data that is being sent to it.
Why it’s a problem
Insecure communication is considered an easy to exploit vulnerability with high severity among the OWASP Mobile Top 10 vulnerabilities. Mobile devices may use several different modes of communication in the space of a few hours, such as home or work Wi-Fi, open Wi-Fi in a public space or cafe, or mobile transmission over their carrier’s network.
Sensitive data, including encryption keys, personal information, payment details, passwords, credentials, and metadata, can all become visible if a hacker intercepts communications. Man-in-the-middle and phishing site attacks are particularly common in connection with insecure communication.
How apps are vulnerable to insecure communication
Mobile apps are vulnerable to insecure communication if transport security is not sufficient or is not implemented properly. Here are some situations where hackers can exploit mobile app communication:
- The initial SSL/TLS handshake is properly verified, but there is no ongoing verification or the cipher suite negotiated is weak in itself.
- The certificate used by the server in the TLS handshake is not verified, meaning the subsequent communication established is not based on valid security.
- The network carrying the communications may have been compromised. This includes Wi-Fi networks or local network routers.
- There may be malware already on the device or a compromised app which spies on communications.
- Data being tampered with while it is being transmitted between a server and client device, known as a man-in-the-middle attack.
What can be done
Like other issues on the OWASP Mobile Top 10 list, there are a variety of ways that hackers can exploit insecure communications. Protecting mobile apps against these threats requires a holistic security approach. This includes:
- Ensuring authentication certificates are being signed by a trusted Certificate Authority (CA) and not accepting self-signed certificates.
- Employing industry-leading cipher suites that use sufficient key lengths (AES 128 and above).
- As validation and security of the TLS connection are so important, using an end-to-end TLS security solution such as whiteCryption’s SKB for TLS can ensure that session, and cryptographic keys cannot be compromised.
- Flaws in network traffic or invalid certificate usage can be flagged to users to allow them to make a decision on ending or continuing communication.
Stay tuned for Part Two
The OWASP Mobile Top 10 list illustrates how serious and pervasive the risks are in mobile app development. Understanding and mitigating these risks is critical. We continue digging into the list in Part Two of our 3-part series, but meanwhile if you’re interested in finding out how Intertrust’s application shielding solutions can help keep your apps secure, download the whiteCryption Code Protection white paper or get in touch with our team.
About Prateek Panda
Prateek Panda is Director of Marketing at Intertrust Technologies and leads global marketing for Intertrust’s application shielding and device identity solutions. His expertise in product marketing and product management stem from his experience as the founder of a cybersecurity company with products in the mobile application security space.